Your Website is Collecting More Personal Data Than You Think

As a privacy professional, if I had a dollar for every time someone said “my website does not collect any personal data” or “my website collects very little personal data”, I would be rich. Many business owners incorrectly assume that their websites do not collect any personal data at all and thus think that privacy laws or privacy requirements do not apply to them. The truth is that the vast majority of modern websites do collect personal data. While collecting personal data is a very common occurrence and there’s nothing inherently wrong with doing so, it can subject your business to privacy laws and their requirements. In this article, we will discuss what personal data is and how websites collect it, both through visible ways and through various tools and features so that you can review your website and confirm whether it is collecting personal data. 

What is “personal data”? 

Privacy laws define “personal data” (also known as personal information or personally identifiable information) as any information that could identify a specific person or any information relating to a specific person. This means that information commonly collected through websites such as names, emails, phone numbers, physical addresses, IP addresses, and device identifiers are considered personal data. In addition, if you combine personal data such as names with other data such as someone’s purchasing history (i.e. what they bought on your website), then purchasing history will be considered personal data as well since it’s relating to an identified person. 

Visible ways of collecting personal data

When it comes to websites, there are two ways in which websites collect personal data – in ways that are easily visible to website visitors and in ways that are not. In terms of the visible ways, these are website features where the individual knowingly submits their personal data to the website. Examples of the visible ways in which websites collect personal data include: 

1. Contact forms: websites frequently have contact forms where individuals can submit their personal data such as names, emails, and phone numbers to reach out to the business or ask them a question about their products or services; 
2. Email newsletter subscription forms: these forms collect names and emails and subscribe individuals to receive email marketing newsletters; 
3. Account creation forms: these forms collect names, emails, usernames, and passwords to allow the individual to create an account on the website; 
4. eCommerce features: these features collect names, emails, shipping addresses, billing addresses, and payment information (if no payment processor is used) to allow an individual to make a purchase on the website; 
5. Website blog comment forms: these forms usually will collect a name and email address to allow an individual to post a comment in response to a blog article; 
6. Chat features: these features will usually require the website visitor to input their name and email address to interact with the chat; and 
7. Scheduling tools: these tools will usually require the website visitor to input a name, email address and phone number to schedule an appointment with the business. 

Not so visible ways of collecting personal data 

While many websites have the visible features where individuals know that their personal data is being collected because the individual themselves has to submit that data, most websites also collect personal data through ways that are less obvious or visible to the website visitor. In this case, personal data is collected automatically behind the scenes without the website visitor having to input any of this data themselves. Examples of the less visible ways that websites collect personal data include: 

1. Advertising and remarketing features such as LinkedIn Insights Tag or the Meta Pixel: these features can collect information on how individuals interact with your website or with ads, IP addresses, names (as these features link that person’s social media profile with their interactions with ads), and their social media ID. 
2. Analytics features such as Google Analytics, Hotjar, or Shopify Analytics: these features can collect an individual’s IP address, device identifier, and information as to how the individual interacts with your website;
3. Data linking platforms such as Zapier: these platforms can collect any personal data that is passed through the linking platform, including addresses, online identifiers, phone numbers, and device identifiers;
4. Font loading scripts such as Google Fonts: these font loading scripts can collect IP addresses.
5. Map embeds such as Google Maps: map embeds can collect IP addresses and information on how people interact with the maps. 
6. Security and spam prevention features such as reCAPTCHA or hCaptcha: these features can collect browsing history, device identifiers, search history, and information on how people interact with your website; 
7. Social media embedding features such as embedded Facebook or X feeds: these features can collect personal data such as the individual’s social media user ID and information on how individuals interact with the social embedding features (e.g. liking a post); 
8. Tag managers such as Google Tag Manager: these features can collect personal data such as geolocation information and information regarding an individual’s interactions with advertisements;
9. Video embeds such as YouTube videos or Vimeo videos: these features can collect personal data such as IP address and information on how individuals interact with embedded videos. 

So what if my website collects personal data? 

As the next step, you should review your website for any of the features listed above to see whether it collects personal data. If it does, then you should know that privacy laws can apply to you. These laws may require your website to have a comprehensive and up to date Privacy Policy that includes the disclosures required by the laws that apply to you. You may also need to have a cookie consent banner that allows individuals to choose whether they want to have their personal data to be collected and whether they want to be tracked through the not so visible ways of collecting personal data.